feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s

- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
This commit is contained in:
Gan, Jimmy
2026-02-28 22:25:39 +08:00
parent 8c30fb7a3a
commit 3fd045aacb
8 changed files with 338 additions and 4 deletions
+1 -1
View File
@@ -61,7 +61,7 @@ def is_lan_ip(ip_str: str) -> bool:
except ValueError:
return False
TRUSTED_PROXIES = os.environ.get("TRUSTED_PROXIES", "127.0.0.1,::1,172.16.0.0/12,10.0.0.0/8").split(",")
TRUSTED_PROXIES = os.environ.get("TRUSTED_PROXIES", "127.0.0.1,::1,172.16.0.0/12").split(",")
def is_trusted_proxy(ip_str: str) -> bool:
import ipaddress